Why use a Password Manager

For a quick intro to internet security 101, the easiest way to “hack” into a website is not finding that one tiny loophole in the code that exists for 3 minutes if the conditions are just right… No, it’s simply to guess or steal a valid user’s login information via phishing, having a keylogging virus on the computer you used to access the site, or by “listening” to an insecure website (i.e. without the protection of a valid SSL Certificate from a trusted authority).

There are several ways to increase the likelihood that your secure information won’t be snatched by the bad guys:

Don’t type or copy/paste to login because key logger viruses can detect the URL you’re on and the keys you type, and your copying (i.e. clipboard) can expose all your copying activity, including passwords

Don’t carry your passwords around with you in written form in your wallet, purse, or insecurely on your mobile device

So what SHOULD you do? Get a cloud-based password manager, like LastPass.

Why use LastPass

LastPass gets its name from attempting to be the last password you’ll ever need to remember.

Here’s the basic workflow:

Sign up for a LastPass account

Install LastPass to your desktop/laptop

Go through the auto-import process to copy all the passwords from your browsers into LastPass

Delete passwords from your browsers and replace their password managers with the LastPass browser add-on/extension

Sign into the LastPass toolbar in each browser

Browse the web like you normally do

When you visit a site that you’ve added login information for in your LastPass account (i.e. your LastPass Vault), it’ll prompt you to login, you click to login, and you’re logged in without copying, pasting, typing, or even needing to know the password you just used

Secure notes, for when the secure content isn’t just a website or a username / password combination (any content can be stored)

Cloud-based so your LastPass Vault syncs to all your devices (sometimes there’s a delay when adding a new site in one browser and using the browser toolbar in another browser)

Share logins with other LastPass users (since email isn’t a secure way to send sensitive information, you never know who’s listening to your phone calls, pieces of paper can get lost, and spreadsheets aren’t for passwords)

Import and Export functionality

Identify duplicate and/or weak passwords in your LastPass Vault so you can know to change them

In June 2013, a month before this post was written, a New York Times article was written about Dashlane 2.0. I link to it only to provide you with their list of alternatives to LastPass: Roboform, KeePass, 1Password, and Dashlane. When my mom (who I helped move from insecure spreadsheets to LastPass via CSV import) sent me that article, my first thought was that it was very one-sided (possibly a paid review for Dashlane) because it just so happened to come out at their 2.0 release and because LastPass outshines Dashlane in every way except aesthetics.

My main reason to recommend LastPass over Dashlane or the others is because it’s the one I’ve been using for years and have helped many others successfully transition to. I’ve never had a LastPass security scare, and Dashlane requires its Premium version ($19.99/year as of this writing) to enable syncing across all devices and for web access, which I believe are necessary in this day and age (and which are free with LastPass). If you start with LastPass, you can switch to Dashlane in the future if you choose to.

Here’s a LastPass introductory video to help put all these details together:

As a Premium customer, I’ve found it beneficial to have the LastPass app on my phone so I don’t have to constantly login to the mobile site if I need to authorize Facebook, Dropbox, email, or another login. And sometimes it’s just more convenient to login to the LastPass app, search for the site, and click “Launch” instead of copying and pasting into Safari or another mobile browser.

Additionally, the additional sharing features are nice for my purposes, but most people probably don’t need them (hence, the Premium version).

LastPass Tips and Tricks

Primary tip: When signing up for LastPass, use your primary personal email address (e.g. GMail). You can have personal, business, and other identities and/or groups within identities to keep all your logins organized (see list of links above). A good rule of thumb is to use the same email address you have for Dropbox and other mission critical services that cross over the separation of personal and professional.

Like any software, there’s a bit of a learning curve, especially with a new category of software. Don’t worry, you’ll get it in no time as you force yourself to use it consistently (because you know it’s the right thing for you to do and the consequences of taking the initially easier way out could be detrimental). After you get the hang of it, you’ll benefit from the extra security and appreciate the time savings!

With all those LastPass goodies listed above, you’re well on your way to getting LastPass to work for you in a short amount of time.

Let me also invite you to take the LastPass Security Challenge (after you’ve setup your account and imported all your passwords; LastPass thinks everyone should have at least 50 in their Vault).

It can automatically change your passwords to sites that are known to have been compromised since you last changed your password. It will give you a score to tell you how “secure” the passwords in your Vault are. Warning: It’ll make you feel like your online security is woefully inadequate — and, statistically, it will be correct — and then you can thank me and LastPass for getting you to take your first steps toward improving your score!

Should You Select “Remember Password” or Not?

When logging in, there’s an option to “Remember Email” and “Remember Password” and everyone asks if they should check those boxes.

Short answer: Personally, I do.

Let me offer 3 reasons why I think it’s okay to do so:

If your device (on which you’ve checked the “Remember Password” box) is stolen (e.g. laptop), you’d most likely know it was stolen because you wouldn’t have it. In which case, you just login to LastPass.com from any computer and change your Master Password (i.e. the password you use to login to LastPass). If they open your browser, LastPass won’t be logged in anymore because the password won’t match.

If it was utterly insecure, LastPass wouldn’t offer it as an option; trust me. They’re all about security.

It’s annoying to keep typing in that perfectly-crafted secure but memorable password, especially if you’re typically in an environment that isn’t extremely mobile to where your device is left lying all over the place, asking to be snatched. And if you are constantly in airport terminals or other bustling places with people looking over your shoulder, then it could be considered more secure to “Remember Password” so they’re not watching your fingers type in that ultra-sensitive password (the password to all your passwords), especially if you’re a 1-finger typer.

How I Use LastPass with Clients and Others

Because I always keep security in mind with all of my technology services, I never want my actions to be the reason for a security breach (which could lead to lost records, lost business, embarrassing events, and worse). That’s why, when I create email accounts, website login accounts, SFTP logins, and more, I require my clients to receive their login details from me via LastPass.

When receiving login details from clients, friends, or family, ideally they would share them with me via LastPass, but often I find that those who don’t have other weak security practices like weak passwords and duplicate passwords. So I take them via email, written on paper, or via carrier pidgeon, but I return things better than how I received them. Often these accounts are deleted shortly after signing up with me (e.g. website or email hosting) so the security threat lasts for a shorter duration of time.

Since most (if not all) logins I share back to clients are theirs to keep, I “give” (not just “share”) the logins with them. This allows them to see (not just use) the password. Therefore, they could choose to store the password elsewhere and totally abandon LastPass. However, I do my part to deliver the secure information securely.

I can’t think of a situation where, once we got LastPass setup, the person didn’t see the benefit of using it and sticking with it.

Bottom line is that LastPass allows me to work securely with clients, manage many clients’ secure login information in a very organized manner, and to help them be more secure in their personal lives after learning the ins and outs about LastPass.